Letter From the Anti-Spyware Coalition Conference

As long as I have been writing about computer security, the number one complaint and help request from readers has consistently been how to eliminate or ward off threats introduced by spyware and adware. Now that I've spent the day at the first annual conference of the Anti-Spyware Coalition in Washington, D.C. -- an organization headed by the nonprofit Center for Democracy and Technology -- it was clear that the ever evolving threat of "badware" is presenting serious challenges, not just for law enforcement officials and policymakers, but for the vanguard of the tech security and advertising communities as well.

The twin themes that I heard throughout nearly every track of the conference were that a large portion of the spyware problem is being fueled by the advertising imperatives of Fortune 500 companies, and that -- ironically -- the scourge of spyware is perhaps most pronounced in the business environment.

Ed Skoudis, a senior consultant at Washington-based Intelguardians and an incident handler with the Bethesda, Md.-based SANS Internet Storm Center, talked about some 25 pieces of "benign spyware" his company devised to gauge the responsiveness of various protection tools on the market today.

While the company's testing is ongoing, Skoudis said it looks like too many of today's anti-spyware tools fail to detect rudimentary exploits -- such as hijacking a browser's default homepage, or inserting programs into the user's startup folders. Many anti-spyware products display the same weakness that keeps the anti-virus industry hours and or even days behind the bad guys, Skoudis says: overreliance on recognizing snippets of known malware, a method that new threats can relatively easily circumvent.

"What we found is that most of the anti-spyware programs are not behavior-based," Skoudis said. "We found that many were either not addressing spyware behavior at all, or had behavior-based detection methods that were fairly trivial to get around."

Jonathan Leibowitz, the lone Democratic commissioner on the Federal Trade Commission, grabbed everyone's attention in the first half of the luncheon keynote address by saying he planned to push the FTC to publicly name the Fortune 500 corporations that are the biggest funders of online ads distributed by shady adware and spyware purveyors.

"Sometimes a little public shaming can go a long way," Leibowitz said. "Naming these legitimate companies that are fueling the nuisance adware problem I believe could help quite a bit."

Wall Street Journal personal technology writer Walt Mossberggave a rousing speech about the continued failures of the anti-virus industry to properly address the spyware threat by passing off bundles of previously separate products as supposed anti-spyware solutions.

"These days, [Windows users] have to run five different programs, and each has a different system of messages and warnings, and each has different schedule of renewing your subscription and downloading new code. ... Just keeping yourself safe has become a full-time job."

Mossberg also questioned the legality of tracking users' browsing habits with silently installed "cookies," tiny text files that Web sites often plant on visitors' computers to identify them when they return.

"I wholly reject the effort waged by parts of the ad industry to redefine tracking cookies as non-spyware," Mossberg said. "It's as if all the pickpockets of New York got together and formed a union and went to police and the courts and said 'You know, we're not as bad as the guys who mug you in the alley and break into your house and hold you at gunpoint. We're just pickpockets and we think you ought to redefine us out of the law.'

"We don't have the kind of laws about trespassing on your digital property than we do for your physical property. But the companies that serve ads are creating a market for tertiary web analytics companies who never asked your permission [to plant cookies.] And the big-name media companies are cowards, afraid that if they put some restriction on third- or fourth-party cookies that these companies who serve up or sell the ads won't place the ads on their site."

Mitch Dembin, assistant U.S. attorney for the Southern District of California, argued that the current spyware scourge could be effectively battled in the courts through existing laws rather than the enactment of new ones. Placing computer code -- including cookies -- on a user's computer without their permission and with the intent of collecting and transmitting information about that computer and its user technically already is a violation of federal computer crime laws (specifically Title 18, Part 1, Chapter 47, Section 1030, subsection a2 of the U.S. Code), Dembin said.

The trouble is that simply accessing a protected computer and gathering information about the user is classified as a misdemeanor -- not a felony -- which means no federal prosecutor would bother with bringing charges.

While the Justice Department has sent letters to Congress calling on lawmakers to elevate such violations to a felony offense, Dembin said, he acknowledged that such a change could amount to a "big ox being gored when suddenly so many of today's business and advertising models quickly become felonious."

Dembin also said DOJ was requesting another important change that could make it easier for prosecutors to go after distributors who install adware and spyware without permission. Currently, one portion of Section 1030 that describes a felony -- accessing a protected computer with intent to defraud -- only kicks in when the victim sustains at least $5,000 in damages, which Dembin said can be a problem in an era when simply buying a new computer to replace a hopelessly spyware-riddled one costs less than $1,000.

As a result, the Justice Department also has asked Congress to consider the total damage done to multiple victims by a digital intruder, so that prosecutors could go after an adware distributor who could be proven to have installed the same software on at least 50 computers.

Much of the discussion in today's sessions and in the conference hallways revolved around how so many advertisers are shying away from placing ads directly with adware companies. But if that were really the case, why aren't adware companies like 180Solutions,DirectRevenue or eXact Advertising suddenly going out of business?

Ben Edelman, a Ph.D. student at Harvard University who is probably the most recognized expert on the spyware and adware industry, presented a dizzying array of slides showing that adware companies are simply padding that business relationship with even more intermediaries.

Edelman showed how such an arrangement might work in the case of a computer user who has 180Solutions' ad-serving software installed. The company's clients bid for the right to be the first ad shown when a user searches for a specific subject relevant to the advertiser's business. Edelman showed how a user entering the official Web address for Verizon in their browser might be presented by 180Solutions with a pop-over ad from a site whose sole purpose appeared to be bidding up Verizon searchers and then hosting Google Adsense ads pitching Verizon's services.

If the user then clicks on one of those Adsense spots and purchases something from Verizon's site, Verizon then pays a portion of the sales as commission to all of the parties involved in the transaction, even though the company may have never authorized that Web site or 180Solutions to place ads on its behalf.

Jules Polonetsky, vice president of integrity assurance at America Online, said many companies are mistakenly trusting their advertising partners to take care of promotions directly, when in fact those partners are increasingly subcontracting that work to other parties who do not necessarily have the advertiser's best interests at heart.

"What we're really starting to see are problems of cascading trust, where a company creates a relationship with one party and before you know your brand is six steps away. ... This is breeding an environment that is ripe for abuse," Polonetsky said. "Some big advertisers are now saying, 'Hey, I'm paying commissions to people I shouldn't be paying to, and I'm getting ripped off."

Maybe I am showing my age, but I still recall an era where viruses and spyware were very improbable due to inherent security built into the operating system. I call your attention to IBM's VM as an example. This OS did not allow programs to perform any functions be it disk or executing programs etc not specifically allowed by the OS in a user-defined environment.

Why don't we have something even better under windows? It is the 2000s, computers are more capable and cheaper. Denying the public basic computer security is the fault of Microsoft (in the windows environment) why isn't there a massive lawsuit filed to recover damages?

"Much of the discussion in today's sessions and in the conference hallways revolved around how so many advertisers are shying away from placing ads directly with adware companies. But if that were really the case, why aren't adware companies like 180Solutions, DirectRevenue or eXact Advertising suddenly going out of business?"

Well, Duh?

Can't you find just one advertiser who will admit that every creative spark was not dreamed up at a quarter to 9 this morning ? Maybe you should try again at cocktail hour ...

To be specific, the conventional wisdom for Telemarketing and Spam Floods has always been that they would not exist unless "somebody bought the stuff". The reality is still far from the truth that agressive advertising would not exist if it was not *paid for up front*. To be bombarded by ads nobody has to have bought a darn thing.

You have to admit that I did scoop you Brian by posting earlier. While I have to admit your coverage of the Workshop is much better than mine! :-)

Speaking about "shame" it was interesting that Yahoo!'s involvent was not highlighted at this conference. Yahoo! of course owns Overture that accounts for over 25% of the revenue at various times of Claria, WhenU and 180.

When people see or think there is easy or a lot of money to be made, what do you expect? In reality there is little difference between the good and the bad, they both want to make themselves richer at other's expense. Some legally; some not legally. If the law is lagging behind, as it often does, then the public has little protection. Those making the profit will make token gestures and try and maintain it is for the public benefit. Anyone with any true sense of justice knows what is going on is not right.